Bugcrowd bug report to a Private Program: Kata Containers was found to be vulnerable to an issue allowing Kata VMs to write to hostPath mount points which should have been read only. This issue was fixed in the Kata Containers project and assigned CVE-2020-28914.
HackerOne bug report to GitLab: GitLab-Runner, when running on Windows with a docker executor, is vulnerable to Command Injection via the DOCKER_AUTH_CONFIG build variable. Injected commands are executed on the container host, not within a Docker container, as such could compromise all future builds which are executed by the runner.
HackerOne bug report to Greenhouse.io: The configuration of the Sintra framework application hosted at oauth-redirector.services.greenhouse.io exposes internal information when exceptions occur. The application is configured with the show_exceptions setting which causes internal application configuration, environment variables and source code snippets to be exposed when exceptions occur.
HackerOne bug report to SEMrush: The Semrush Ad Builder for Display Ads is vulnerable to path traversal when extracting zip files and referencing images from the embedded data.csv file.
HackerOne bug report to WordPress: The Wordpress unzip_file function (https://codex.wordpress.org/Function_Reference/unzip_file) is vulnerable to path traversal when extracting zip files. Extracting untrusted zip files using this function this could lead to code execution through placing arbitrary PHP files in the DocumentRoot of the webserver.
HackerOne bug report to GitLab: The GitLab::UrlBlocker IP address validation methods suffer from a Time of Check to Time of Use (ToCToU) vulnerability. The vulnerability occurs due to multiple DNS resolution requests performed before and after the checks. This issue allows a malicious authenticated user to send GET and POST HTTP requests to arbitrary hosts, including the localhost, cloud metadata services and the local network, and read the HTTP response.
HackerOne bug report to GitLab: Importing a modified exported GitLab project archive can overwrite uploads for other users. If the secret and file name of an upload are known (these can be easily identified for any uploads to public repositories), any user can import a new project which overwrites the served content of the upload with arbitrary content.
HackerOne bug report to New Relic: The Ticketing Integrations Jira webhooks for Jira 5/6 and Jira 4 are vulnerable to Blind SSRF issues. These endpoints can be abused to map internal NewRelic network services and send blind HTTP GET and POST requests to identified services.
The p4 Helix Command-Line Client uses the optional P4CLIENTPATH environment variable to restrict directories to which the application permitted to read or write files. This configuration can be trivially bypassed allowing a malicious Perforce server to read or write arbitrary files on the client system.
HackerOne bug report to Lob: The Template Preview function allows users to render arbitrary HTML to a PDF document, this includes the ability to execute arbitrary Javascript. The HTML agent used to render the HTML is based on an old version of WebKit which has known security issues, for which public exploits and Proof of Concepts (PoCs) are available.
The p4 Helix Command-Line Client accepts and responds to Perforce protocol commands supplied by a connected server without any validation. A malicious Perforce server can send arbitrary Perforce protocol commands to connecting clients in order to expose the contents of client system files or write arbitrary files on the client system.
HackerOne bug report to Ubiquiti Inc.: The UniFi Video Configuration Restore functionality is vulnerable to a path traversal vulnerability when extracting the contents of POSTed zip files.
HackerOne bug report to Ubiquiti Inc.: The UniFi Video Configuration Restore functionality is vulnerable to CSRF. A successful attack would allow modification of any application configuration setting, including creating new administrative users.
HackerOne bug report to SEMrush: The Project Site Audit function is vulnerable to XXE when parsing sitemap.xml files.
Private Internet Access(PIA) VPN users connecting to the PIA VPN service from an untrusted/malicious network are at risk of having all VPN tunnelled HTTP(S) traffic intercepted. The PIA client for Windows honours the Web Proxy Auto-Discovery (WPAD) settings configured by the local network the client is connecting from.
Windows OpenVPN users connecting to a VPN network from an untrusted/malicious network are at risk of having all VPN tunnelled HTTP(S) traffic intercepted by a 3rd party. OpenVPN on Windows honours the Web Proxy Auto-Discovery (WPAD) settings, configured by the network the client is connecting from, on VPN connections.
Malicious Proxy Auto-Config (PAC) files allow for the disclosure of SSL/TLS encrypted HTTPS request URLs (including full paths and query strings) from Firefox.
Malicious Proxy Auto-Config (PAC) files allow for the disclosure of SSL/TLS encrypted HTTPS request URLs (including full paths and query strings) from Chrome.
Dompdf is vulnerable to a file disclosure vulnerability which can be exploited by anonymous, unauthenticated attackers to download arbitrary files from the underlying hosting server. Exploitation of this issue requires a non-standard configuration option to be set, specifically the DOMPDF_ENABLE_REMOTE option must be set to true.
The Almost Native Graphics Layer Engine (ANGLE) library as used in Mozilla Firefox is vulnerable to an integer overflow vulnerability leading to memory corruption which may allow an attacker to exploit the browser process. The ANGLE library is used by Firefox on Windows as a bridge between the OpenGL ES 2.0 API and DirectX.
The Almost Native Graphics Layer Engine (ANGLE) library as used in Google Chrome is vulnerable to an integer overflow vulnerability leading to memory corruption which may allow an attacker to exploit the browser process. The ANGLE library is used by Chrome on Windows as a bridge between the OpenGL ES 2.0 API and DirectX.